From d11c92cca94992618376518a47030da7f809b2ca Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sat, 26 Dec 2020 20:00:55 +0100
Subject: [PATCH 1/2] Setup MTA-STS for remaining mail domains

https://tools.ietf.org/html/rfc8461
---
 roles/mta_sts/defaults/main.yml         | 12 +++++++++++-
 roles/mta_sts/tasks/main.yml            |  6 ++++--
 roles/mta_sts/templates/nginx.d.conf.j2 | 23 +++++++++++++----------
 tf-stage1/archlinux.tf                  |  8 ++++++--
 4 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/roles/mta_sts/defaults/main.yml b/roles/mta_sts/defaults/main.yml
index 4ec5575a..23f42431 100644
--- a/roles/mta_sts/defaults/main.yml
+++ b/roles/mta_sts/defaults/main.yml
@@ -1 +1,11 @@
-mta_sts_domain: mta-sts.archlinux.org
+mta_sts:
+  - mx:
+      - mail.archlinux.org
+    domains:
+      - archlinux.org
+      - aur.archlinux.org
+      - master-key.archlinux.org
+  - mx:
+      - luna.archlinux.org
+    domains:
+      - lists.archlinux.org
diff --git a/roles/mta_sts/tasks/main.yml b/roles/mta_sts/tasks/main.yml
index 26dca3ea..e33b579f 100644
--- a/roles/mta_sts/tasks/main.yml
+++ b/roles/mta_sts/tasks/main.yml
@@ -1,9 +1,11 @@
 ---
 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ mta_sts_domain }}' creates='/etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem'
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d mta-sts.{{ item.domains | join(' -d mta-sts.') }} creates='/etc/letsencrypt/live/{{ "mta-sts." + item.domains | first }}/fullchain.pem'
+  loop: "{{ mta_sts }}"
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ mta_sts_domain }} state=directory owner=root group=root mode=0755
+  file: path=/var/log/nginx/{{ "mta-sts." + item.domains | first }} state=directory owner=root group=root mode=0755
+  loop: "{{ mta_sts }}"
 
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mta-sts.conf" owner=root group=root mode=644
diff --git a/roles/mta_sts/templates/nginx.d.conf.j2 b/roles/mta_sts/templates/nginx.d.conf.j2
index 894a56f5..5b9ff8fb 100644
--- a/roles/mta_sts/templates/nginx.d.conf.j2
+++ b/roles/mta_sts/templates/nginx.d.conf.j2
@@ -1,10 +1,12 @@
+{% for config in mta_sts %}
+{% set domain = "mta-sts." + config.domains | first %}
 server {
     listen       80;
     listen       [::]:80;
-    server_name  {{ mta_sts_domain }};
+    server_name  mta-sts.{{ config.domains | join(' mta-sts.') }};
 
-    access_log   /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
-    error_log    /var/log/nginx/{{ mta_sts_domain }}/error.log;
+    access_log   /var/log/nginx/{{ domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ domain }}/error.log;
 
     include snippets/letsencrypt.conf;
 
@@ -17,18 +19,18 @@ server {
 server {
     listen       443 ssl http2;
     listen       [::]:443 ssl http2;
-    server_name  {{ mta_sts_domain }};
+    server_name  mta-sts.{{ config.domains | join(' mta-sts.') }};
 
-    access_log   /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
-    error_log    /var/log/nginx/{{ mta_sts_domain }}/error.log;
+    access_log   /var/log/nginx/{{ domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ domain }}/error.log;
 
-    ssl_certificate      /etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/{{ mta_sts_domain }}/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/{{ mta_sts_domain }}/chain.pem;
+    ssl_certificate      /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
 
     location /.well-known/mta-sts.txt {
         default_type text/plain;
-        return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: mail.archlinux.org\n';
+        return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: {{ config.mx | join('\\nmx: ')}}\n';
     }
 
     location / {
@@ -36,3 +38,4 @@ server {
         return 404;
     }
 }
+{% endfor %}
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 0fe5c1f0..32a8e244 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -614,15 +614,19 @@ resource "hetznerdns_record" "archlinux_org_mail_aaaa" {
 }
 
 resource "hetznerdns_record" "archlinux_org_mtasts_cname" {
+  for_each = toset(["", ".aur", ".master-key", ".lists"])
+
   zone_id = hetznerdns_zone.archlinux.id
-  name    = "mta-sts"
+  name    = "mta-sts${each.value}"
   value   = "mail"
   type    = "CNAME"
 }
 
 resource "hetznerdns_record" "archlinux_org__mtasts_txt" {
+  for_each = toset(["", ".aur", ".master-key", ".lists"])
+
   zone_id = hetznerdns_zone.archlinux.id
-  name    = "_mta-sts"
+  name    = "_mta-sts${each.value}"
   ttl     = 600
   # date +%s
   value = "\"v=STSv1; id=1608210175\""
-- 
GitLab


From c046166f60080f4baae6a22b8cff18cf99d21dd7 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sat, 26 Dec 2020 20:18:25 +0100
Subject: [PATCH 2/2] tf-stage1/archlinux: Setup SMTP TLS Reporting for
 remaining mail domains

---
 tf-stage1/archlinux.tf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 32a8e244..b660a9b1 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -678,8 +678,10 @@ resource "hetznerdns_record" "archlinux_org_dmarc_txt" {
 }
 
 resource "hetznerdns_record" "archlinux_org_smtp_tlsrpt_txt" {
+  for_each = toset(["", ".aur", ".master-key", ".lists"])
+
   zone_id = hetznerdns_zone.archlinux.id
-  name    = "_smtp._tls"
+  name    = "_smtp._tls${each.value}"
   value   = "\"v=TLSRPTv1;rua=mailto:postmaster@archlinux.org\""
   type    = "TXT"
 }
-- 
GitLab